Encryption communication system

ABSTRACT

An encroption transmission apparatus and an encryption reception apparatus avoid attack that takes advantage of re-transmission request. A server apparatus encrypts a content key five times, thereby generating five encrypted content keys, calculates a hash value of the content key, and transmits the five encrypted content keys and the hash value. An image playback apparatus receives the five encrypted content keys and the has value, decrypts the five encrypted content keys thereby generating five content keys, calculates hash values each corresponding to the generated content keys, and compares the calculated hash values with the received hash value respectively. If at least one of the five calculated hash values matches the received hash value, the corresponding content key is considered correct. Conversely, if none of the five calculated hash values matches the received hash value, it is considered a decryption error.

TECHNICAL FIELD

The present invention relates to an encryption technology used as aninformation security technology.

BACKGROUND ART

Recently, NTRU cryptosystem is receiving attention because the NTRUcryptosystem can be implemented in a processor that has comparativelylow processing competence, typically used in home electrical appliances.

In the NTRU cryptosystem, a polynomial operation (addition andmultiplication) is the basic operation, and each coefficient of thepolynomial is 8 bits or below. Therefore even an 8-bit CPU can easilyimplement the NTRU cryptosystem. The NTRU cryptosystem is performed at10-50 times as higher speed than an elliptic curve encryption, and doesnot necessitate a multiple precision arithmetic library that theelliptic curve encryption would require. The NTRU cryptosystem thereforehas an advantage in having smaller code size than the elliptic curveencryption. The NTRU cryptosystem is detailed in non-patent reference 1and in patent reference 1, and therefore is not described here.

However, sometimes the NTRU cryptosystem has a possibility of causing anerror in decryption, and the occurrence of error is not detected at thetime of decryption. This is a problem of the NTRU cryptosystem, becauseencryption cannot be guaranteed to be correctly performed.

So as to solve this problem, the patent reference 2 takes the followingapproach. That is, the transmission apparatus performs a one-wayfunction on a plaintext to generate a first functional value, generatesfirst addition information, performs an invertible operation on theplaintext and on the first addition information to generateconcatenation information, and performs an encryption algorithm on theconcatenation information to generate a cipher text. The receptionapparatus generates second addition information that is identical to thefirst addition information, performs a decryption algorithm on thecipher text to generate decryption concatenation information, performsan inverse operation of the invertible operation on the decryptionconcatenation information and on the second addition information togenerate a decrypted text, performs the one-way function on thedecrypted text to generate a second functional value, compares the firstfunctional value and the second functional value, and if the values areidentical to each other, the decrypted text is judged to be correct. Inthe above way, it becomes possible to judge whether the plaintext hasbeen correctly decrypted.

If a plaintext is judged to have been incorrectly decrypted, thereceiving party can request that the transmitting party shouldre-transmit the cipher text, and receive the cipher text again.

(Non-Patent Reference 1)

Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman, “NTRU:A ringbased public key cryptosystem”, Lecture Notes in Computer Science, 1423,pp. 267-288, Springer-Verlag, 1998

(Patent Reference 1)

U.S. Pat. No. 6,081,597

(Patent Reference 2)

Japanese Laid-open Patent application No. 2002-252611

(Non-Patent Reference 2)

J. Proos, “Imperfect Decryption and an Attack on the NTRU EncryptionScheme”, IACR ePrint Archive, 2003/002, http://eprint.iacr.org/, (2003)

Technical Problem

The non-patent reference 2 discloses an attacking method used for theNTRU cryptosystem. In this attacking method, in an attempt to obtain akey, an attacker transmits arbitrary data to a receiving party, to checkwhether the receiving party transmits a re-transmission request. This isa problem because this means that security cannot be guaranteed in theNTRU cryptosystem.

DISCLOSURE OF THE INVENTION

The object of the present invention is to provide an encryptioncommunication system, an encryption transmission apparatus, anencryption transmission method, an encryption transmission program, anencryption reception apparatus, an encryption reception method, and anencryption reception program, which prevent attack that takes advantageof re-transmission request in the encryption systems.

(Means for Solving the Problem)

In view of the above-described problem, an encryption transmissionapparatus encrypts one transmission message five times to generate fiveencrypted messages, calculates a hash value of the transmission message,and transmits the five encrypted messages and the hash value. Anencryption reception apparatus receives the five encrypted messages andthe hash value, decrypts the five encrypted messages to generatedecrypted messages, calculates decryption hash values for the decryptedmessages respectively, if at least one of the decryption hash valuesmatches the hash value, a corresponding decrypted message is consideredto be correct. If none of the five decryption hash values matches thehash value, a decryption error is considered to have occurred.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a system structure diagram showing the structure of the imageplayback system 10, which is an embodiment relating to the presentinvention.

FIG. 2 is a functional block diagram showing the structure of a serverapparatus 100.

FIG. 3 is a functional block diagram showing the structure of an imageplayback apparatus 200.

FIG. 4 is a flowchart showing the operation of the server apparatus 100.

FIG. 5 is a flowchart showing the operation of the image playbackapparatus 200, to be continued to FIG. 6.

FIG. 6 is a flowchart showing the operation of the image playbackapparatus 200, which is a continuation from FIG. 5.

FIG. 7 is a functional block diagram showing the structure of an imageplayback apparatus 200 b and a memory card 300 b, which are included inthe image playback system 10 being a modification example.

FIG. 8 is a system structure diagram showing the structure of a BDplayback system 10 c, which is another embodiment relating to thepresent invention.

FIG. 9 is a functional block diagram showing the structure of a memorycard 300 c and a BD player 200 c, which are included in the BD playbacksystem 10 c.

BEST MODE FOR CARRYING OUT THE INVENTION

The following explains an image playback system 10, which is oneembodiment relating to the present invention.

1. Image Playback System 10

The image playback system 10 is, as shown in FIG. 1, made up of a serverapparatus 100 and an image playback apparatus 200, which are connectedto each other via an Internet 20.

The server apparatus 100 encrypts a content, and transmits the encryptedcontent to the image playback apparatus 200 via the Internet 20. Theimage playback apparatus 200 receives the encrypted content, decryptsthe received encrypted content to generate a content, plays back thegenerated content, and outputs the image and the audio to the monitor 50and to the speaker 40, both of which are connected to the image playbackapparatus 200.

1.1 Structure of Server Apparatus 100

The server apparatus 100 is, as shown in FIG. 2, made up of aninformation storage unit 101, a random-number generation unit 102, afirst encryption unit 103, a hash unit 104, a second encryption unit105, a transmission/reception unit 106, a control unit 107, an inputunit 108, and a display unit 109.

The server apparatus 100 is specifically a computer system constitutedby a microprocessor, a ROM, a RAM, a hard disk unit, a display unit, akey board, a mouse, and the like. The RAM or the hard disk unit recordstherein a computer program. The server apparatus 100 performs part ofits function, by the microprocessor operating according to the computerprogram.

(1) Information Storage Unit 101

The information storage unit 101 is, as shown in FIG. 2, stores thereina public key Kp, a content key Kc, and a content C.

The public key Kp is generated based on a secret key Ks generated usinga key generation method of the NTRU cryptosystem, and has 1841 bitlength for a 263-dimension NTRU cryptosystem. The secret key Ks will bedetailed later.

The content C is movie data made of image information and audioinformation.

(2) Random-Number Generation Unit 102

The random-number generation unit 102, by being controlled by thecontrol unit 107, repeats, five times, a series of operation of:generating a random number Ri having 64 bits; and outputting thegenerated random number Ri to the first encryption unit 103.

(3) First Encryption Unit 103

The first encryption unit 103, by being controlled by the control unit107, reads the public key Kp and the content key Kc from the informationstorage unit 101. Then the first encryption unit 103 repeats thefollowing operations (a)-(c) five times, by being controlled by thecontrol unit 107.

-   -   (a)Receive a random number Ri from the random-number generation        unit 102.    -   (b)Concatenate the read content key Kc with the received random        number Ri (i.e. Kc∥Ri).    -   (c)Perform an encryption algorithm Enc1 on the concatenation of        the content key Kc and the random number Ri, to generate an        encrypted content key Ekci.    -   i.e. Ekci=Enc1(Kp,Kc∥Ri)    -   Here “∥” is an operator representing concatenation, the        encryption algorithm Enc1 is an algorithm of the NTRU        cryptosystem, and X=Enc1(Y,Z) shows that the encryption        algorithm Enc1 is performed on a plaintext Z using a key Y, to        generate a cipher text X.

In the above way, five encrypted content keys Ekc1, Ekc2, . . . , Ekc5are generated.

Next, the first encryption unit 103 outputs the five encrypted contentkeys Ekc1, Ekc2, . . . , Ekc5, to the transmission/reception unit 106.

Please note here that, in FIG. 2, each block is connected to the otherblocks, by a connection line (the drawing does not show all theconnection lines). Each connection line signifies a path through which asignal or information is transmitted. In addition, among the connectionlines connected to the block representing the first encryption unit 103,the connection line on which a key mark is drawn signifies a paththrough which information as a key is transmitted to the firstencryption unit 103. The same thing applies to the block representingthe second encryption unit 105. The same thing also applies to the otherdrawings.

(4) Hash Unit 104

The hash unit 104, by being controlled by the control unit 107, readsthe content key Kc from the information storage unit 101 and performs ahash function “Hash” on the read content key Kc to generate a hash valueH, the hash function “Hash” being a one-way function.H=Hash(Kc)

Here, one example of the hash function “Hash” is SHA-1. Since the SHA-1is publicly-known, the explanation thereof is omitted here. In thiscase, the length of the hash value H is 160 bits.

Next, the hash unit 104 outputs the generated hash value H to thetransmission/reception unit 106.

(5) Second Encryption Unit 105

The second encryption unit 105, by being controlled by the control unit107, reads the content key Kc and the content C from the informationstorage unit 101, and performs the encryption algorithm Enc2 on the readcontent C using the read content key Kc, to generate an encryptedcontent EC.EC=Enc2(Kc,C)

Here, the encryption algorithm Enc2 is an algorithm of triple DES. Sincethe triple DES is publicly-known, the explanation thereof is omittedhere.

Next, the second encryption unit 105 outputs the generated encryptedcontent EC to the transmission/reception unit 106.

(6) Transmission/Reception Unit 106

The transmission/reception unit 106 is connected to the image playbackapparatus 200, via the Internet 20.

The transmission/reception unit 106, by being controlled by the controlunit 107, receives the five encrypted content keys Ekc1, Ekc2, . . . ,Ekc5 from the first encryption unit 103, receives the hash value H fromthe hash unit 104, and receives the encrypted content EC from the secondencryption unit 105. The transmission/reception unit 106 then transmitsthe received five encrypted content keys Ekc1, Ekc2, . . . , Ekc5, thehash value H, and the encrypted content EC, to the image playbackapparatus 200 via the Internet 20.

(7) Control Unit 107, Input Unit 108, and Display Unit 109

The control unit 107 controls the random-number generation unit 102, thefirst encryption unit 103, the hash unit 104, the second encryption unit105, and the transmission/reception unit 106.

The input unit 108 receives an operation instruction from an operator ofthe server apparatus 100, and outputs the received instruction to thecontrol unit 107.

The display unit 109 displays various kinds of information, by beingcontrolled by the control unit 107.

1.2 Structure of Image Playback Apparatus 200

The image playback apparatus 200 is, as shown in FIG. 3, made up of atransmission/reception unit 201, a first decryption unit 202, a hashunit 203, a judgment unit 204, an information storage unit 205, a seconddecryption unit 206, a playback unit 207, a control unit 208, an inputunit 209, and a display unit 210.

Just as the server apparatus 100, the image playback apparatus 200 isconstituted by a microprocessor, a ROM, a RAM, and soon. The RAM recordsthere in a computer program. The image playback apparatus 200 performspart of its function, by the microprocessor operating according to thecomputer program.

(1) Image Storage Unit 205

As shown in FIG. 3, the image storage unit 205 stores therein a secretkey Ks.

The secret key Ks is generated using the key generation method of theNTRU cryptosystem, and has 415 bit length for a 263-dimension NTRUcryptosystem.

(2) Transmission/Reception Unit 201

The transmission/reception unit 201 is connected to the server apparatus100, via the Internet 20.

The transmission/reception unit 201, by being controlled by the controlunit 208, receives the five encrypted content keys Ekc1, Ekc2, . . . ,Ekc5, the hash value H, and the encrypted content EC. Thetransmission/reception unit 201 outputs the five encrypted content keysEkc1, Ekc2, . . . , Ekc5 to the first decryption unit 202, outputs thehash value H to the judgment unit 204, and outputs the encrypted contentEC to the second decryption unit 206.

(3) First Decryption Unit 202

The first decryption unit 202, by being controlled by the control unit208, receives the five encrypted content keys Ekc1, Ekc2, . . . , Ekc5,from the transmission/reception unit 201, and reads the secret key Ksfrom the information storage unit 205. The first decryption unit 202repeats the following operations (a)-(c) five times, by being controlledby the control unit 208.

-   -   (a)Perform a decryption algorithm Dec1 on an encrypted content        key EKci, using the secret key Ks, to generate a content key        DKci.        DKci=Dec1(Ks, Ekci)

Here, the decryption algorithm Dec1 is an algorithm of the NTRUcryptosystem, and decrypts the cipher text generated according to theencryption algorithm Enc1. Z=Dec1(Y,X) means to perform a decryptionalgorithm Dec1 on a cipher text X to obtain a decrypted text Z.

(b) From the generated content key DKci, delete the 64-bit random-numberportion at the very last.

(c)Output the content key DKci from which the random-number portion hasbeen deleted, to the hash unit 203 and to the judgment unit 204.

In the above way, five content keys DKci are outputted to the hash unit203 and to the judgment unit 204.

(4) Hash Unit 203

The hash unit 203 performs the following operations (a)-(b) five times,by being controlled by the control unit 208.

(a)Receive a content key DKci from the first decryption unit 202.

(b) Perform the hash function “Hash” on the received content key DKci,to generate a hash value Hi.Hi=Hash(DKci)

Next the hash unit 203 outputs the generated hash value Hi to thejudgment unit 204.

(5) Judgment Unit 204

The judgment unit 204, by being controlled by the control unit 208,receives the hash value H from the transmission/reception unit 201, andrepeats five times the following operations (a)-(d).

-   -   (a)Receives a hash value Hi from the hash unit 203.    -   (b)Receive a content key DKci from the first decryption unit        202.    -   (c)Judges whether the hash value H is identical to the hash        value Hi. (d) If judging affirmatively, stores the value of “i”        and the content key DKci, in association.

If there is any value of “i” stored after the above operations (a)-(d)are performed five times, it is judged that the encrypted content keyhas been correctly decrypted, and the content key DKci stored inassociation with the value of “i” is outputted to the second decryptionunit 206, and a decryption result showing that the decryption has beencorrectly performed is outputted to the control unit 208.

If there is no value of “i” stored, it is judged that the encryptedcontent key has not been correctly decrypted, and a decryption resultrepresenting such is outputted to the control unit 208.

(6) Second Decryption Unit 206

The second decryption unit 206, by being controlled by the control unit208, receives the content key DKci from the judgment unit 204, receivesthe encrypted content EC from the transmission/reception unit 201, andperforms a decryption algorithm Dec2 on the received encrypted contentEC using the received content key DKci, to generate a content C.

Here, the decryption algorithm Dec2 is an algorithm of triple DES, anddecrypts the cipher text generated according to the encryption algorithmEnc2.

Then, the second decryption unit 206 outputs the generated content C tothe playback unit 207.

(7) Playback Unit 207

The playback unit 207, by being controlled by the control unit 208,receives a content C, plays back the received content C, generates animage signal and an audio signal, and outputs the image signal and theaudio signal to the monitor 50 and to the speaker 40, respectively.

The monitor 50 and the speaker 40 respectively output the images and theaudios.

(8) Control Unit 208, Input Unit 209, and Display Unit 210

The control unit 208 controls the transmission/reception unit 201, thefirst decryption unit 202, the hash unit 203, the judgment unit 204, thesecond decryption unit 206, and the playback unit 207.

The control unit 208 receives a decryption result either showing thatthe encrypted content key has been correctly decrypted, or showing thatit has not been correctly decrypted.

When receiving a decryption result showing that the encrypted contentkey has not been correctly decrypted, the control unit 208 controls thesecond decryption unit 206 not to perform decryption, and controls thedisplay unit 210 to display “decryption error”.

When receiving a decryption result showing that the encrypted contentkey has been correctly decrypted, the control unit 208 controls thesecond decryption unit 206 to perform decryption.

The input unit 209 receives an operation instruction from a user of theimage playback apparatus 200, and outputs the received instruction tothe control unit 208.

The display unit 210 displays a various kind of information, by beingcontrolled by the control unit 208.

1.3 Operation of Image Playback System 10

The following describes operations performed by the image playbacksystem 10.

(1) Operation of Server Apparatus 100

The following describes operations of the server apparatus 100, with useof the flowchart shown in FIG. 4.

The first encryption unit 103 reads a content key Kc from theinformation storage unit 101 (Step S101), and then reads a public key Kp(Step S102).

Next, the control unit 107 performs control so that Steps S104-S105 arerepeated five times, at Steps S103-S106. Please note that in thenotations of the random number Ri and the encrypted content key Ekci,the “i” is a suffix representing a time of repeating, and changes toi=1, 2, 3, 4, 5, at each repetition.

The random-number generation unit 102 generates a random number Ri of 64bits, outputs the generated random number Ri to the first encryptionunit 103 (Step S104). The first encryption unit 103 concatenates thecontent key Kc with the random number Ri, and performs the encryptionalgorithm Enc1 on the concatenation of the content key Kc and the randomnumber Ri, thereby generating an encrypted content key EKci (Step S105).

By repeating Step S104-S105 five times in the above way, five encryptedcontent keys Ekc1, Ekc2, . . . , Ekc5 are generated.

Next, the hash unit 104 reads the content key Kc from the informationstorage unit 101, and performs a hash function “Hash”, being a one-wayfunction, on the read content key Kc, thereby generating a hash value H(Step S107).

The second encryption unit 105 reads the content key Kc from theinformation storage unit 101 (Step S108), reads the content C (StepS109), and performs an encryption algorithm Enc2 on the read content Cusing the read content key Kc, thereby generating an encrypted contentEC (Step S110).

The transmission/reception unit 106 transmits the five encrypted contentkeys EKc1, EKc2, . . . , EKc5, the hash value H, and the encryptedcontent EC, to the image playback apparatus 200 via the Internet 20(Step S111).

(2) Operation of Image Playback Apparatus 200

The following describes operations of the image playback apparatus 200,with use of the flowcharts shown in FIG. 5-FIG. 6.

The transmission/reception unit 201 receives the five content keys EKc1,EKc2, . . . , EKc5, the hash value H, and the encrypted content EC, fromthe server apparatus 100 and via the Internet 100, and outputs thecontent keys EKc1, EKc2, . . . , EKc5 to the first decryption unit 202,the hash value H to the judgment unit 204, and the encrypted content ECto the second decryption unit 206 (Step S131).

The first decryption unit 202 reads the secret key Ks from theinformation storage unit 205 (Step S132). Next, the control unit 208performs control so that Steps S134-S138 are repeated five times, atSteps S133-S139. Please note that in the notations of the encryptedcontent key Ekc1, the content key DKci, and the hash value Hi, the “i”is a suffix representing a time of repeating, and changes to i=1, 2, 3,4, 5, at each repetition.

The first decryption unit 202 performs a decryption algorithm Dec1 onthe encrypted content key Ekci, using the secret key Ks, therebygenerating a content key DKci (Step S134), and from the generatedcontent key DKci, deletes a 64-bit random-number portion at the verylast, and outputs the content key DKci from which the random-numberportion has been deleted, to the hash unit 203 and to the judgment unit204 (Step S135).

Then, the hash unit 203 receives the content key DKci from the firstdecryption unit 202, and performs the hash function “Hash” on thereceived content key DKci, thereby generating a hash value Hi (StepS136).

The judgment unit 204 receives the hash value Hi from the hash unit 203,receives the content key DKci from the first decryption unit 202, judgeswhether the hash value H and the hash value Hi are identical (StepS137), and if they are identical (Step S137), memorizes the value of “i”at this time, in correspondence with the content key DKci (Step S138).

After Steps S134-S138 are repeated five times, if there is a memorizedvalue of “i” (Step S140), it is judged that the decryption of theencrypted content key has been correctly performed, and so the seconddecryption unit 206 receives the content key DKci from the judgment unit204, receives the encrypted content EC from the transmission/receptionunit 201, and performs the decryption algorithm Dec2 on the receivedencrypted content EC using the received content key DKci, therebygenerating a content C (Step S141). The playback unit 207 receives thecontent C from the second decryption unit 206, plays back the content C,generates an image signal and an audio signal, and outputs the imagesignal and the audio signal to the monitor 50 and to the speaker 40,respectively. The monitor 50 and the speaker 40 respectively output theimages and the audios (Step S142).

If there is no memorized value of “i” (Step S140), the judgment unit 204judges that none of the five encrypted content keys was decryptedcorrectly, and so outputs a decryption result indicating such to thecontrol unit 208. The control unit 208 controls the second decryptionunit 206 not to perform decryption, controls the display unit 210 todisplay “decryption error”, and so the display unit 210 displays“decryption error”.

In the above description, the control unit 208 performs control so thatSteps S134-S138 are repeated five times, at Steps S133-S139. It is alsopossible that if the hash value H and the hash value Hi are judged to beidentical at Step S137, the control can come out of the loop of StepsS134-S138.

1.4 Summary

As described above, this embodiment attempts to reduce the possibilitythat a message m (“content key” in the embodiment) cannot be decrypted,by encrypting and transmitting the message m for several times.Accordingly, re-transmission request for the message m will not occur somuch.

The transmission apparatus (“server apparatus” in the embodiment)generates random numbers R1-R5, generates m∥R1, m∥R2, m∥R3, m∥R4, andm∥R5, and encrypts each of them, to generate Enc(m∥R1), Enc(m∥R2),Enc(m∥R3), Enc(m∥R4), and Enc(m∥R5). Here, Enc(x) means to perform theencryption algorithm Enc on the plaintext X, to generate a cipher text.Next, the hash value H(m) is calculated. The generated Enc(m∥R1),Enc(m∥R2), Enc(m∥R3), Enc(m∥R4), and Enc(m∥R5), together with the hashvalue H(m) are then transmitted to the reception apparatus (“imageplayback apparatus” in the embodiment).

The reception apparatus receives the Enc(m∥R1), Enc(m∥R2), Enc(m∥R3),Enc(m∥R4), and Enc(m∥R5), together with the hash value H(m), anddecrypts Enc (m∥R1), Enc(m∥R2), Enc(m∥R3), Enc(m∥R4), and Enc(m∥R5), toobtain a part of each of them, namely, m1, m2, . . . m5, whichcorresponds to a message. Furthermore, the hash value of each of m1, m2,. . . m5 is calculated (H(m1), H(m2), . . . H(m5)). Then each of thecalculated hash values is compared to the hash value H(m). In thiscomparison, if there is at least one matching pair of the calculatedhash value and the received hash value H(m), then the message (out ofm1, m2, m3) that corresponds to the matching hash value is outputted asa decrypted text. If there is no such matching pair, “False” indicatingdecryption error is outputted.

In the NTRU cryptosystem of 263 dimensions, the probability of causingdecryption error for one cipher text is about 10⁻⁵. Since five ciphertexts are transmitted in the above-described embodiment, the probabilityof causing re-transmission request will be about 10⁻²⁵(=10⁻⁵*10⁻⁵*10⁻⁵*10⁻⁵*10⁻⁵). On the other hand, the probability ofattack success in the 1024-bit RSA encryption is 20⁻⁸⁰=10⁻²⁴. Therefore,if the above-described embodiment is applied to the 263-dimension NTRUcryptosystem, the probability of attack success becomes lower than thecase of the 1024-bit RSA encryption.

2. Other Modification Examples

So far, the present invention has been described based on theembodiment. However needless to say, the present invention should not belimited to the above-described embodiment, and may include the followingcases.

(1) In the above-described embodiment, five encrypted content keys aretransmitted. However, five encrypted contents may be transmittedinstead.

(2) In the above-described embodiment, the transmission apparatusgenerates five cipher texts and transmits them, and the receptionapparatus receives the five cipher texts and decrypts them. However, thenumber of the cipher texts is not limited to 5, and may be 3, or 7, forexample. In addition, the transmission apparatus may generate two ormore cipher texts and transmits them, and the reception apparatusreceives these cipher texts, decrypts them, and uses them in judgment asto whether decryption error has occurred. As stated above, the number ofcipher texts affects the probability of attack success, and larger thenumber of cipher texts, the probability of attack success will belessened.

(3) In the above-described embodiments, an encryption algorithm isperformed on a concatenation of the message m to be encrypted and arandom number generated each time. However, the transmission apparatusmay perform another operation on the message m in advance, and performsthe encryption algorithm on the concatenation of the operation resultand the random number.

For example, the transmission apparatus may add, to the message m, “0”,“1”, “2”, “3”, and “4”, respectively, to obtain “m”, “m+1”, “m+2”,“m+3”, and “m+4”. The transmission apparatus then performs an encryptionalgorithm on each concatenation of a calculation result and a randomnumber, to generate Enc(m∥R1), Enc(m+1∥R2), Enc(m+2∥R3), Enc(m+3∥R4),Enc(m+4∥R5).

The reception apparatus decrypts Enc(m∥R1), Enc(m+1∥R2), Enc(m+2∥R3),Enc(m+3∥R4), Enc(m+4∥R5), and deletes from each of the decryptionresults, a random-number portion at the very last, the random-numberportion having a predetermined length. The reception apparatus thensubtracts “0”, “1”, “2”, “3”, “4”, respectively from the decryptionresults from which their random-number portion has been subtracted,thereby obtaining information that corresponds to the message m.

(4) In the above-described embodiment, the transmission apparatusconcatenates the message m with the random number, in the stated order,and performs an encryption algorithm on the concatenation results.However, the order of concatenation may be reverse (i.e. the randomnumber and the message m may be concatenated in this order). Moreover,the message m and the random number may be alternately concatenated bitby bit. If such concatenation methods are adopted, the receptionapparatus can obtain information corresponding to the message m, byperforming their reverse operation, respectively.

(5) In the above-described embodiment, the server apparatus transmitsfive encrypted content keys, an encrypted content, and a hash value, tothe image playback apparatus via the Internet. However, the presentinvention is not limited to this embodiment.

It is also possible that a digital broadcast transmission apparatus(instead of the server apparatus) may broadcast the five encryptedcontent keys, the encrypted content, and the hash value, via a digitalbroadcast wave (instead of the Internet), and that a digital broadcastreception apparatus (instead of the image playback apparatus) receivesthe digital broadcast wave, to extract the five encrypted content keys,the encrypted content, and the hash value, from the received digitalbroadcast wave.

(6) The image playback system 10 may include the image playbackapparatus 200 b and the memory card 300 b, instead of the image playbackapparatus 200.

The image playback apparatus 200 b is equipped with a part of thefunction that the image playback apparatus 200 includes, and the memorycard 300 b is equipped with the other part of the function that theimage playback apparatus 200 includes.

Which is to say, the memory card 300 b, being inserted to the imageplayback apparatus 200 b by a user, receives the five encrypted contentkeys and the hash value from the server apparatus 100, judges whetherthe encrypted content keys have been correctly decrypted, and if judgingaffirmatively, outputs the correctly decrypted content key to the imageplayback apparatus 200 b. The image playback apparatus 200 b receivesthe content key from the memory card 300 b, and decrypts the encryptedcontent received from the server apparatus 100, for playback.

Specifically, as FIG. 7 shows, the image playback apparatus 200 b iscomposed of a transmission/reception unit 201, a second decryption unit206, a playback unit 207, a control unit 208, an input unit 209, adisplay unit 210, an input/output unit 211, and an authentication unit212.

Here, among the components of the image playback apparatus 200 b, thetransmission/reception unit 201, the second decryption unit 206, theplayback unit 207, the control unit 208, the input unit 209, and thedisplay unit 210 are respectively the same as the counterparts of theimage playback apparatus 200, namely, the transmission/reception unit201, the second decryption unit 206, the playback unit 207, the controlunit 208, the input unit 209, and the display unit 210. In addition, theinput/output unit 211 performs input/output of information between thememory card 300 b and the other components of the image playbackapparatus 200 b. Furthermore, the authentication unit 212, when a memorycard is inserted in the image playback apparatus 200 b, performs mutualdevice authentication with the inserted memory card. Only when thedevice authentication has succeeded, input/output thereafter will beperformed.

As FIG. 7 shows, the memory card 300 b is composed of an input/outputunit 301, an authentication unit 302, a first decryption unit 202 b, ahash unit 203 b, a judgment unit 204 b, and an information storage unit205 b.

Here, the first decryption unit 202 b, the hash unit 203 b, the judgmentunit 204 b, and the information storage unit 205 b are respectively thesame as the counterparts of the image playback apparatus 200, namely,the first decryption unit 202, the hash unit 203, the judgment unit 204,and the information storage unit 205. In addition, the input/output unit301 performs input/output of information between the other components ofthe memory card 300 b and the image playback apparatus 200 b.Furthermore, the authentication unit 302, when the memory card 300 b isinserted into an apparatus, performs mutual device authentication withthe apparatus in which the memory card 300 has been inserted. Only whenthe device authentication has succeeded, input/output thereafter will beperformed.

(7) Another Embodiment

The following describes a BD (Blu-ray disc) playback system 10 c, whichis another embodiment relating to the present invention.

As FIG. 8 shows, the BD playback system 10 c is composed of a serverapparatus 100 c, a BD player 200 c, and a portable telephone 400 c. Theserver apparatus 100 c and the portable telephone 400 c are connected toeach other, via the Internet 20, the portable telephone network 25, andthe wireless base station 26.

(Structure of BD Playback System 10 c)

The server apparatus 100 c has the same structure as the serverapparatus 100.

The BD player 200 c, as shown in FIG. 9, is composed of a drive unit213, a second decryption unit 206, a playback unit 207, a control unit208, an input unit 209, a display unit 210, an input/output unit 211,and an authentication unit 212.

Here, among the components of the BD player 200 c, the second decryptionunit 206, the playback unit 207, the control unit 208, the input unit209, and the display unit 210 are respectively the same as thecounterparts of the image playback apparatus 200, namely, the seconddecryption unit 206, the playback unit 207, the control unit 208, theinput unit 209, and the display unit 210. In addition, the input unit211 performs input/output of information between the memory card 300 cand the other components of the BD player 200 c. Furthermore, theauthentication unit 212, when a memory card is inserted in the BD player200 c, performs mutual device authentication with the inserted memorycard. Only when the device authentication has succeeded, input/outputthereafter will be performed. The drive unit 213 reads an encryptedcontent from the inserted BD60, and outputs the read encrypted contentto the second decryption unit 206.

As FIG. 9 shows, the memory card 300 c is composed of an input/outputunit 301 c, an authentication unit 302 c, a first decryption unit 202 c,a hash unit 203 c, a judgment unit 204 c, and an information storageunit 205 c.

Here, the first decryption unit 202 c, the hash unit 203 c, the judgmentunit 204 c, and the information storage unit 205 c are respectively thesame as the counterparts of the image playback apparatus 200, namely,the first decryption unit 202, the hash unit 203, the judgment unit 204,and the information storage unit 205. In addition, the input/output unit301 c performs input/output of information between the other componentsof the memory card 300 c and the BD player 200 c. Furthermore, theauthentication unit 302 c, when the memory card 300 c is inserted in anapparatus, performs mutual authentication with the apparatus in whichthe memory card 300 c has been inserted. Only when the deviceauthentication has succeeded, input/output thereafter will be performed.The information storage unit 205 has an area for storing a secret keyKs, five encrypted content keys, a hash value, and a content key havingbeen reproduced.

(Operation of BD Playback System 10 c)

A BD60 is distributed, which stores therein an encrypted contentgenerated by encrypting a content with use of a content key. A useracquires this BD60.

The content key is distributed through a different route from a routethrough which the BD60 is distributed.

Just as the server apparatus 100, the server apparatus 100 c generatesfive encrypted content keys and a hash value from the content key, andtransmits the five encrypted content keys and the hash value to theportable telephone 400 c, via the Internet 20, the portable telephonenetwork 25, and the wireless base station 26.

A user inserts the memory card 300 c to the portable telephone 400 c.

The portable telephone 400 c receives the five encrypted content keysand the hash value from the server apparatus 100 c, and writes the fiveencrypted content keys and the hash value to the information storageunit 205 c, via the input/output unit 301 c of the memory card 300 c.

The information storage unit 205 c of the memory card 300 c temporarilystores the five encrypted content keys and the hash value. The firstdecryption unit 202 c reads, from the information storage unit 205 c,encrypted content keys and decodes them, and outputs the content keysafter decryption to the hash unit 203 c and to the judgment unit 204 c.The judgment unit 204 c reads the hash value from the informationstorage unit 205 c, and judges whether the encrypted content keys havebeen correctly decoded, with reference to the content keys afterdecryption. If judging affirmatively, the judgment unit 204 c writes thecorrectly decoded content key to the information storage unit 205 c.

The memory card 300 c and the BD60 are inserted into the BD player 200 cby a user.

The BD player 200 c reads the encrypted content from the BD60, reads thecorrectly decoded content key from the information storage unit 205 c ofthe memory card 300 c, decodes the read encrypted content using the readcontent key, to generate a content, plays back the generated content,and outputs the images and the audios to the monitor 50 and to thespeaker 40, which have been connected to the BD player 200 c.

(8) In the above-described embodiment, the NTRU cryptosystem of 263dimensions is used, and the bit lengths of the secret key and the publickey are respectively set as 415 bits, and 1841 bits. However, thedimension and the bit length are only one example.

In addition, the hash unit 104 and the hash unit 203 use SHA-1 as a hashfunction “Hash”. However, other hash functions may be used instead.

(9) The present invention may be the methods described above. Inaddition, the present invention may be a computer program realizingthese methods on a computer, and may be a digital signal made up of thecomputer program.

Furthermore, the present invention may be a computer-readable recordingmedium on which the computer program or the digital signal is recorded.The examples of the computer-readable recording medium include aflexible disk, a hard disk, a CD-ROM, a MO, a DVD, a DVD-ROM, a DVD-RAM,a BD (Blu-ray disc), and a semiconductor memory. Still further, thepresent invention may be the computer program or the digital signalrecorded on such a recording medium.

In addition, the present invention may be the computer program or thedigital signal, which is transmitted via an electric communicationcircuit, wireless/wired communication circuits, and a network such asthe Internet, and data broadcast.

In addition, the present invention may be a computer system equippedwith a microprocessor and a memory, where the memory stores therein thecomputer program, and the microprocessor operates according to thecomputer program.

In addition, the computer program or the digital signal may be executedon another and independent computer system, by being transmitted eitherin the form of the recording medium, or via the network and the like.

(10) The present invention may be combination of any of the embodimentsand the modification examples.

3. Effect of Invention

As described so far, the present invention is an encryptioncommunication system for secret message communication, having anencryption transmission apparatus and an encryption reception apparatus,where the encryption transmission apparatus includes: a storage unitthat stores therein one message; an encryption unit operable to performan encryption computation on the message a plural number of times,thereby generating ciphertexts equal in number to the number of times ofthe encryption computation; a computation unit operable to perform aone-way operation on the message, thereby generating a comparisoncomputation value; and a transmission unit operable to transmit theciphertexts and the comparison computation value, and the encryptionreception apparatus includes: a reception unit operable to receive theciphertexts and the comparison computation value; a decryption unitoperable to perform a decryption computation, which corresponds to theencryption computation, on each of the ciphertexts, thereby generatingdecrypted messages equal in number to the number of the ciphertexts; acomputation unit operable to perform the one-way operation on each ofthe decrypted messages, thereby generating decryption computation valuesequal in number to the number of the decrypted messages; and a judgingunit operable to compare the decryption computation values with thereceived comparison computation value, and i) if at least one of thedecryption computation values matches the received comparisoncomputation value, output a corresponding decrypted message as a correctdecrypted text, and ii) if none of the decryption computation valuesmatches the received comparison computation value, output a decryptionerror.

The present invention is also an encryption transmission apparatus forsecret message communication, having: a storage unit that stores thereinone message; an encryption unit operable to perform an encryptioncomputation on the message a plural number of times, thereby generatingciphertexts equal in number to the number of times of the encryptioncomputation; a computation unit operable to perform a one-way operationon the message, thereby generating a comparison computation value; and atransmission unit operable to transmit the ciphertexts and thecomparison computation value.

The present invention is also an encryption reception apparatus forsecret message communication, where the encryption transmissionapparatus stores therein one message, performs an encryption computationon the message a plural number of times thereby generating ciphertextsequal in number to the number of the encryption computation, performs aone-way operation on the message thereby generating a comparisoncomputation value, and transmits the ciphertexts and the comparisoncomputation value, the encryption reception apparatus having: areception unit operable to receive the ciphertexts and the comparisoncomputation value; a decryption unit operable to perform a decryptioncomputation, which corresponds to the encryption computation, on each ofthe ciphertexts, thereby generating decrypted messages equal in numberto the number of the ciphertexts; a computation unit operable to performthe one-way operation on each of the decrypted messages, therebygenerating decryption computation values equal in number to the numberof the decrypted messages; and a judging unit operable to compare thedecryption computation values with the received comparison computationvalue, and i) if at least one of the decryption computation valuesmatches the received comparison computation value, output acorresponding decrypted message as a correct decrypted text, and ii) ifnone of the decryption computation values matches the receivedcomparison computation value, output a decryption error.

According to these constructions, the encryption transmission apparatusgenerates a plural number of ciphertexts from a message, and performs aone-way computation on the message to generate a comparison computationvalue. The encryption reception apparatus decrypts the ciphertextsthereby generating decrypted messages equal in number to the number ofthe ciphertexts, and performs the one-way computation on the decryptedmessages to generate decryption computation values equal in number tothe number of the decrypted messages. If at least one of the decryptioncomputation values matches the comparison computation value, theencryption transmission apparatus outputs the corresponding decryptionmessage, and if none of the decryption computation values matches thecomparison computation value, outputs a decryption error. Therefore theconstructions restrain probability of error generation at the time ofdecryption to be low, and so heighten possibility of avoiding attacksthat take advantage of re-transmission request.

Here, the encryption unit may have: an encryption computation subunitoperable to perform an invertible data conversion on the message therebygenerating a converted message, and perform an encryption algorithm onthe converted message thereby generating a ciphertext; and a repetitioncontrol subunit operable to control the encryption computation subunitto repeat the generation of converted message and the generation ofciphertext, the plural number of times.

In addition, it is possible to have a structure in which the encryptiontransmission apparatus performs an invertible data conversion on themessage thereby generating a converted message, performs an encryptionalgorithm on the converted message thereby generating a ciphertext, andrepeats the generation of converted message and the generation ofciphertext, the plural number of times, and the decryption unit has: adecryption computation subunit operable to perform a decryptionalgorithm, which corresponds to the encryption algorithm, on aciphertext thereby generating a decrypted text, and perform an inverseconversion of the invertible data conversion on the decrypted textthereby generating a decrypted message; and a repetition control subunitoperable to control the decryption computation subunit to repeat thegeneration of decrypted content and the generation of decrypted message,the plural number of times.

According to these constructions, the encryption transmission apparatusperforms an invertible data conversion on the message to generate aconverted message, and performs an encryption algorithm on the convertedmessage to generate a ciphertext. Therefore even when the ciphertext tobe transmitted is intercepted on the transmission path and is encrypted,the original message has little chance of being revealed. In addition,the encryption reception apparatus performs, on the ciphertext, adecryption algorithm that corresponds to the encryption algorithm togenerate a decrypted text, and performs an inverse conversion of theinvertible data conversion on the decrypted text to generate a decryptedmessage. Therefore generation of a decrypted message corresponding tothe message is assured.

Here, the encryption computation subunit may generate a random number offixed length, and generates the converted message by adding the randomnumber to the message.

In addition, it is possible to have a structure in which the encryptiontransmission apparatus generates a random number of fixed length, andgenerates the converted message by adding the random number to themessage, and the decryption computation subunit generates the decryptedmessage by removing the random number of fixed length from the decryptedcontent.

According to these constructions, the encryption transmission apparatusadds a random number of fixed length to the message, thereby generatinga converted message. Therefore an inverse conversion is easilyperformed. In addition, the encryption reception apparatus removes, fromthe generated decrypted text, the random number of fixed length togenerate a decrypted message. Therefore generation of a decryptedmessage is assured.

Industrial Application

Each of the apparatuses and of the recording media, which constitutesthe present invention, may be used managerially, continuously, andrepeatedly, in any industry related to secret message communication.Furthermore, each of the apparatuses and of the recording media, whichconstitutes the present invention, may be produced and sold inmanufacturing industries of electric appliances, managerially,continuously, and repeatedly.

1. An encryption communication system for secret message communication,comprising an encryption transmission apparatus and an encryptionreception apparatus, wherein the encryption transmission apparatusincludes: a storage unit that stores therein one message; an encryptionunit operable to perform an encryption computation on the message aplural number of times, thereby generating ciphertexts equal in numberto the number of times of the encryption computation; a computation unitoperable to perform a one-way operation on the message, therebygenerating a comparison computation value; and a transmission unitoperable to transmit the ciphertexts and the comparison computationvalue, and the encryption reception apparatus includes: a reception unitoperable to receive the ciphertexts and the comparison computationvalue; a decryption unit operable to perform a decryption computation,which corresponds to the encryption computation, on each of theciphertexts, thereby generating decrypted messages equal in number tothe number of the ciphertexts; a computation unit operable to performthe one-way operation on each of the decrypted messages, therebygenerating decryption computation values equal in number to the numberof the decrypted messages; and a judging unit operable to compare thedecryption computation values with the received comparison computationvalue, and i) if at least one of the decryption computation valuesmatches the received comparison computation value, output acorresponding decrypted message as a correct decrypted text, and ii) ifnone of the decryption computation values matches the receivedcomparison computation value, output a decryption error.
 2. Theencryption communication system of claim 1, wherein the encryptioncomputation used by the encryption unit conforms to NTRU cryptosystem,and the decryption computation used by the decryption unit conforms tothe NTRU cryptosystem.
 3. An encryption transmission apparatus forsecret message communication, comprising: a storage unit that storestherein one message; an encryption unit operable to perform anencryption computation on the message a plural number of times, therebygenerating ciphertexts equal in number to the number of times of theencryption computation; a computation unit operable to perform a one-wayoperation on the message, thereby generating a comparison computationvalue; and a transmission unit operable to transmit the ciphertexts andthe comparison computation value.
 4. The encryption transmissionapparatus of claim 3, wherein the encryption unit comprises: anencryption computation subunit operable to perform an invertible dataconversion on the message thereby generating a converted message, andperform an encryption algorithm on the converted message therebygenerating a ciphertext; and a repetition control subunit operable tocontrol the encryption computation subunit to repeat the generation ofconverted message and the generation of ciphertext, the plural number oftimes.
 5. The encryption transmission apparatus of claim 4, wherein theencryption computation subunit generates a random number of fixedlength, and generates the converted message by adding the random numberto the message.
 6. The encryption transmission apparatus of claim 5,wherein the encryption algorithm used by the encryption computationsubunit conforms to NTRU cryptosystem.
 7. An encryption receptionapparatus for secret message communication, where the encryptiontransmission apparatus stores therein one message, performs anencryption computation on the message a plural number of times therebygenerating ciphertexts equal in number to the number of the encryptioncomputation, performs a one-way operation on the message therebygenerating a comparison computation value, and transmits the ciphertextsand the comparison computation value, the encryption reception apparatuscomprising: a reception unit operable to receive the ciphertexts and thecomparison computation value; a decryption unit operable to perform adecryption computation, which corresponds to the encryption computation,on each of the ciphertexts, thereby generating decrypted messages equalin number to the number of the ciphertexts; a computation unit operableto perform the one-way operation on each of the decrypted messages,thereby generating decryption computation values equal in number to thenumber of the decrypted messages; and a judging unit operable to comparethe decryption computation values with the received comparisoncomputation value, and i) if at least one of the decryption computationvalues matches the received comparison computation value, output acorresponding decrypted message as a correct decrypted text, and ii) ifnone of the decryption computation values matches the receivedcomparison computation value, output a decryption error.
 8. Theencryption reception apparatus of claim 7, wherein the encryptiontransmission apparatus performs an invertible data conversion on themessage thereby generating a converted message, performs an encryptionalgorithm on the converted message thereby generating a ciphertext, andrepeats the generation of converted message and the generation ofciphertext, the plural number of times, and wherein the decryption unitcomprises: a decryption computation subunit operable to perform adecryption algorithm, which corresponds to the encryption algorithm, ona ciphertext thereby generating a decrypted text, and perform an inverseconversion of the invertible data conversion on the decrypted textthereby generating a decrypted message; and a repetition control subunitoperable to control the decryption computation subunit to repeat thegeneration of decrypted content and the generation of decrypted message,the plural number of times.
 9. The encryption reception apparatus ofclaim 8, wherein the encryption transmission apparatus generates arandom number of fixed length, and generates the converted message byadding the random number to the message, and wherein the decryptioncomputation subunit generates the decrypted message by removing therandom number of fixed length from the decrypted content.
 10. Theencryption reception apparatus of claim 9, wherein the encryptionalgorithm used by the encryption transmission apparatus conforms to NTRUcryptosystem, and wherein the decryption algorithm used by thedecryption computation subunit conforms to the NTRU cryptosystem.
 11. Anencryption transmission method used in an encryption transmissionapparatus that stores therein one message and transmits the message insecrecy, the encryption transmission method comprising: an encryptionstep of performing an encryption computation on the message a pluralnumber of times, thereby generating ciphertexts equal in number to thenumber of times of the encrypted computation; a computation step ofperforming a one-way operation on the message, thereby generating acomparison computation value; and a transmission step of transmittingthe ciphertexts and the comparison computation value.
 12. An encryptiontransmission program used in an encryption transmission apparatus thatstores therein one message and transmits the message in secrecy, theencryption transmission program comprising: an encryption step ofperforming an encryption computation on the message a plural number oftimes, thereby generating ciphertexts equal in number to the number oftimes of the encrypted computation; a computation step of performing aone-way operation on the message, thereby generating a comparisoncomputation value; and a transmission step of transmitting theciphertexts and the comparison computation value.
 13. The encryptiontransmission program of claim 12, being recorded in a computer-readablerecording medium.
 14. An encryption reception method used in anencryption reception apparatus that receives a message from anencryption transmission apparatus in secrecy, where the encryptiontransmission apparatus stores the message therein, performs anencryption computation on the message a plural number of times therebygenerating ciphertexts equal in number to the number of times of theencryption computation, performs a one-way operation on the messagethereby generating a comparison computation value, and transmits theciphertexts and the comparison computation value, the encryptionreception method comprising: a reception step of receiving theciphertexts and the comparison computation value; a decryption step ofperforming a decryption computation, which corresponds to the encryptioncomputation, on each of the ciphertexts, thereby generating decryptedmessages equal in number to the number of the ciphertexts; a computationstep of performing the one-way operation on each of the decryptedmessages, thereby generating decryption computation values equal innumber to the number of the decrypted messages; and a judging step ofcomparing the decryption computation values with the received comparisoncomputation value, and i) if at least one of the decryption computationvalues matches the received comparison computation value, outputting acorresponding decrypted message as a correct decrypted text, and ii) ifnone of the decryption computation values matches the receivedcomparison computation value, outputting a decryption error.
 15. Anencryption reception program used in an encryption reception apparatusthat receives a message from an encryption transmission apparatus insecrecy, where the encryption transmission apparatus stores the messagetherein, performs an encryption computation on the message a pluralnumber of times thereby generating ciphertexts equal in number to thenumber of times of the encryption computation, performs a one-wayoperation on the message thereby generating a comparison computationvalue, and transmits the ciphertexts and the comparison computationvalue, the encryption reception program comprising: a reception step ofreceiving the ciphertexts and the comparison computation value; adecryption step of performing a decryption computation, whichcorresponds to the encryption computation, on each of the ciphertexts,thereby generating decrypted messages equal in number to the number ofthe ciphertexts; a computation step of performing the one-way operationon each of the decrypted messages, thereby generating decryptioncomputation values equal in number to the number of the decryptedmessages; and a judging step of comparing the decryption computationvalues with the received comparison computation value, and i) if atleast one of the decryption computation values matches the receivedcomparison computation value, outputting a corresponding decryptedmessage as a correct decrypted text, and ii) if none of the decryptioncomputation values matches the received comparison computation value,outputting a decryption error.
 16. The encryption reception program ofclaim 15, being recorded in a computer-readable recording medium.